Security Target
SQL Server 2008 Team


Author:
Roger French

Version:
1.2

Date:
2009-01-23


Abstract
This document is the Security Target (ST) for the Common Criteria certification of the
database engine of Microsoft® SQL Server® 2008.

Keywords
CC, ST, Common Criteria, SQL, Security Target







Security Target Microsoft SQL Server 2008 Database Engine Common Criteria

Evaluation
Page 2/56

This page intentionally left blank


Security Target Microsoft SQL Server 2008 Database Engine Common Criteria
Evaluation
Page 3/56

Table of Contents
Page
1 ST INTRODUCTION 6
1.1 ST and TOE Reference 6
1.2 TOE Overview 7
1.3 TOE Description 7
1.3.1 Product Type 7
1.3.2 Physical Scope and Boundary of the TOE 8
1.3.3 Architecture of the TOE 11
1.3.4 Logical Scope and Boundary of the TOE 11
1.4 Conventions 14
2 CONFORMANCE CLAIMS 15
2.1 CC Conformance Claim 15
2.2 PP Conformance Claim 15
3 SECURITY PROBLEM DEFINITION 16
3.1 Assets 16
3.2 Assumptions 17
3.3 Threats 18
3.4 Organizational Security Policies 19
4 SECURITY OBJECTIVES 20

4.1 Security Objectives for the TOE 20
4.2 Security Objectives for the operational Environment 21
4.3 Security Objectives Rationale 22
4.3.1 Overview 22
4.3.2 Rationale for TOE Security Objectives 23
4.3.3 Rationale for environmental Security Objectives 26
5 EXTENDED COMPONENT DEFINITION 28
5.1 Definition for FAU_STG.5.EXP 28
6 IT SECURITY REQUIREMENTS 30
6.1 TOE Security Functional Requirements 31
6.1.1 Class FAU: Security Audit 32
6.1.2 Class FDP: User Data Protection 34
6.1.3 Class FIA: Identification and authentication 35
6.1.4 Class FMT: Security Management 36
6.2 TOE Security Assurance Requirements 40
6.3 Security Requirements rationale 40
6.3.1 Security Functional Requirements rationale 40
6.3.2 Rationale for satisfying all Dependencies 44
6.3.3 Rationale for Assurance Requirements 45
7 TOE SUMMARY SPECIFICATION 46
7.1 Security Management (SF.SM) 46
7.2 Access Control (SF.AC) 46
7.3 Identification and Authentication (SF.I&A) 48
Security Target Microsoft SQL Server 2008 Database Engine Common Criteria
Evaluation
Page 4/56

7.4 Security Audit (SF.AU) 49
8 APPENDIX 51
8.1 Concept of Ownership Chains 51

8.1.1 How Permissions Are Checked in a Chain 51
8.1.2 Example of Ownership Chaining 51
8.2 References 53
8.3 Glossary and Abbreviations 54
8.3.1 Glossary 54
8.3.2 Abbreviations 55

Security Target Microsoft SQL Server 2008 Database Engine Common Criteria
Evaluation
Page 5/56

List of Tables
Page
Table 1: Hardware and Software Requirements 11
Table 2 - Assumptions 17
Table 3 - Threats to the TOE 18
Table 4 – Organizational Security Policies 19
Table 5 - Security Objectives for the TOE 20
Table 6 - Security Objectives for the TOE Environment 21
Table 7 – Summary of Security Objectives Rationale 22
Table 8 – Rationale for TOE Security Objectives 23
Table 9 – Rationale for IT Environmental Objectives 26
Table 10 - TOE Security Functional Requirements 31
Table 11 - Auditable Events 33
Table 12 - Default Server Roles 39
Table 13 – Default Database Roles 39
Table 14 – Rationale for TOE Security Requirements 40
Table 15 – Functional Requirements Dependencies for the TOE 44



List of Figures
Page
Figure 1: TOE 9
Figure 2: Concept of Ownership Chaining 52
Security Target Microsoft SQL Server 2008 Database Engine Common Criteria
Evaluation
Page 6/56

1 ST Introduction
This chapter presents Security Target (ST) and TOE identification information and a general
overview of the ST. An ST contains the information technology (IT) security requirements of
an identified Target of Evaluation (TOE) and specifies the functional and assurance security
measures offered by that TOE to meet stated requirements. An ST principally defines:
a) A security problem expressed as a set of assumptions about the security aspects
of the environment, a list of threats that the TOE is intended to counter, and any
known rules with which the TOE must comply (chapter 3, Security Problem
Definition)
b) A set of security objectives and a set of security requirements to address the
security problem (chapters 4 and 6, Security Objectives and IT Security
Requirements, respectively).
c) The IT security functions provided by the TOE that meet the set of requirements
(chapter 7, TOE Summary Specification).
1.1 ST and TOE Reference
This chapter provides information needed to identify and control this ST and its Target of
Evaluation (TOE).
ST Title:
Microsoft SQL Server 2008 Database Engine Common
Criteria Evaluation Security Target
ST Version:
1.2

Date:
2009-01-23
Author:
Roger French, Microsoft Corporation
Certification-ID:
BSI-DSZ-CC-0520
TOE Identification:
Database Engine of Microsoft SQL Server 2008 Enterprise
Edition (English) x86 and x64 and its related guidance
documentation ([AGD] and [AGD_ADD])
TOE Version:
10.0.1600.22
TOE Platform:
Windows Server 2008 Enterprise Edition (English) Version
6.0.6001
CC Identification:
Common Criteria for Information Technology Security
Evaluation, Version 3.1, Revision 1 as of September 2006 for
part I, revision 2 as of September 2007 for parts II and III,
English version.
Evaluation Assurance Level:
EAL 1 augmented by ASE_OBJ.2, ASE_REQ.2 and
ASE_SPD.1.
PP Conformance:
none
Keywords:
CC, ST, Common Criteria, SQL, Security Target

Security Target Microsoft SQL Server 2008 Database Engine Common Criteria
Evaluation

Page 7/56

1.2 TOE Overview
The TOE is the database engine of SQL Server 2008. SQL Server is a Database
Management System (DBMS).
The TOE has been developed as the core of the DBMS to store data in a secure way.
The security functionality of the TOE comprises:
 Security Management
 Access Control
 Identification and Authentication
 Security Audit
A summary of the TOE security functions can be found in chapter 1.3.4. A more detailed
description of the security functions can be found in chapter 7, TOE Summary Specification.
Please note that only the SQL Server 2008 database engine is addressed in this ST. Other
related products of the SQL Server 2008 platform, such as Service Broker, provide services
that are useful but are not central to the enforcement of security policies. Hence, security
evaluation is not directly applicable to those other products.
1.3 TOE Description
This chapter provides context for the TOE evaluation by identifying the product type and
describing the evaluated configuration. The main purpose of this chapter is to bind the TOE
in physical and logical terms. The chapter starts with a description of the product type before
it introduces the physical scope, the architecture and last but not least the logical scope of
the TOE.
1.3.1 Product Type
The product type of the Target of Evaluation (TOE) described in this ST is a database
management system (DBMS) with the capability to limit TOE access to authorized users,
enforce Discretionary Access Controls on objects under the control of the database
management system based on user and/or role authorizations, and to provide user
accountability via audit of users‘ actions.
A DBMS is a computerized repository that stores information and allows authorized users to

retrieve and update that information. A DBMS may be a single-user system, in which only
one user may access the DBMS at a given time, or a multi-user system, in which many users
may access the DBMS simultaneously.
The TOE which is described in this ST is the database engine and therefore part of SQL
Server 2008. It provides a relational database engine providing mechanisms for Access
Control, Identification and Authentication and Security Audit.
Security Target Microsoft SQL Server 2008 Database Engine Common Criteria
Evaluation
Page 8/56

The SQL Server platform additionally includes the following tools which are not part of the
TOE:
 SQL Server Replication: Data replication for distributed or mobile data processing
applications and integration with heterogeneous systems
 Analysis Services: Online analytical processing (OLAP) capabilities for the analysis of
large and complex datasets.
 Reporting Services: A comprehensive solution for creating, managing, and delivering
both traditional, paper-oriented reports and interactive, Web-based reports.
 Integration Services: Microsoft Integration Services is a platform for building
enterprise-level data integration and data transformations solutions.
 Management tools: The SQL Server platform includes integrated management tools
for database management and tuning as well as tight integration with tools such as
Microsoft Operations Manager (MOM) and Microsoft Systems Management Server
(SMS).
 Development tools: SQL Server offers integrated development tools for the database
engine, data extraction, transformation, and loading (ETL), data mining, OLAP, and
reporting that are tightly integrated with Microsoft Visual Studio to provide end-to-end
application development capabilities
 Other tools offered by the installation process: Full Text Search, Business Intelligence
Development Studio, Client tools connectivity, Client tools backwards compatibility,

Client tools SDK, SQL client connectivity SDK, Microsoft sync framework.
The TOE itself only comprises the database engine of the SQL Server 2008 platform which
provides the security functionality as required by this ST. Any additional tools of the SQL
Server 2008 platform interact with the TOE as a standard SQL client. The scope and
boundary of the TOE will be described in the next chapter. Please refer to [AGD_ADD] for
more information about the installation process of the TOE.
1.3.2 Physical Scope and Boundary of the TOE
The TOE is the database engine of the SQL Server 2008 and its related guidance
documentation. This engine has been evaluated in two different configurations (x86 and x64)
while the IA64 version of the database engine has not been evaluated.
The following figure shows the TOE (including its internal structure) and its immediate
environment.
Security Target Microsoft SQL Server 2008 Database Engine Common Criteria
Evaluation
Page 9/56


Figure 1: TOE
As seen in Figure 1 the TOE internally comprises the following logical units:
The Communication part is the interface for programs accessing the TOE. It is the interface
between the TOE and clients performing requests.
All responses to user application requests return to the client through this part of the TOE.
The Relational Engine is the core of the database engine and is responsible for all security
relevant decisions. The relational engine establishes a user context, syntactically checks
every Transact SQL (T-SQL) statement, compiles every statement, checks permissions to
determine if the statement can be executed by the user associated with the request,
optimizes the query request, builds and caches a query plan, and executes the statement.
The Storage Engine is a resource provider. When the relational engine attempts to execute
a T-SQL statement that accesses an object for the first time, it calls upon the storage engine
to retrieve the object, put it into memory and return a pointer to the execution engine. To

perform these tasks, the storage engine manages the physical resources for the TOE by
using the Windows OS.
The SQL-OS is a resource provider for all situations where the TOE uses functionality of the
operating system. SQL-OS provides an abstraction layer over common OS functions and
was designed to reduce the number of context switches within the TOE. SQL-OS especially
contains functionality for Task Management and for Memory Management.
For Task Management the TOE provides an OS-like environment for threads, including
scheduling, and synchronization —all running in user mode, all (except for I/O) without
calling the Windows Operating System.
Security Target Microsoft SQL Server 2008 Database Engine Common Criteria
Evaluation
Page 10/56

The Memory Manager is responsible for the TOE memory pool. The memory pool is used to
supply the TOE with its memory while it is executing. Almost all data structures that use
memory in the TOE are allocated in the memory pool. The memory pool also provides
resources for transaction logging and data buffers.
The immediate environment of the TOE comprises:
The Windows 2008 Server Enterprise Edition Operating System, which hosts the TOE.
As the TOE is a software only TOE it lives as a process in the Operating System (OS) and
uses the resources of the OS. These resources comprise general functionality (e.g. the
memory management and scheduling features of the OS) as well as specific functionality of
the OS, which is important for the Security Functions of the TOE (see chapter 7 for more
details)
Other parts of the SQL Server 2008 Platform, which might be installed together with the
TOE. The TOE is the central part of a complete DBMS platform, which realizes all Security
Functions as described in this ST. However other parts of the platform may be installed on
the same machine if they are needed to support the operation or administration of the TOE.
However these other parts will interact with the TOE in the same way, every other client
would do.

Clients (comprising local clients and remote clients) are used to interact with the TOE during
administration and operation. Services of the Operating System are used to route the
communication of remote clients with the TOE.
The TOE relies on functionality of the Windows 2008 Server Operating System and has the
following hardware/software requirements:
Security Target Microsoft SQL Server 2008 Database Engine Common Criteria
Evaluation
Page 11/56

Table 1: Hardware and Software Requirements
CPU
 Pentium III compatible at 1 GHz or faster (for the 32 bit edition)
 AMD Opteron, AMD Athlon 64, Intel Xeon with Intel EM64T
support, Intel Pentium IV with EM64T support at 1.4 GHz or faster
1

RAM
512 MB
Hard Disk
Approx 1500 MB of free space
Other
DVD ROM drive, display at Super VGA resolution, Microsoft mouse
compatible pointing device, keyboard
Software
Windows Server 2008 Enterprise Edition (in 64 or 32 bit), English version,
version 6.0.6001
.NET Framework 3.5 SP 1
Windows Installer4.5

The following guidance documents and supportive information belong to the TOE:

 SQL Server 2008 Books Online: This is the general guidance documentation for the
complete SQL Server 2008 platform
 SQL Server Guidance Addendum / Installation / Startup: This document contains the
aspects of the guidance that are specific to the evaluated configuration of SQL Server
2008
The website contains
additional information about the TOE and its evaluated configuration. Also the guidance
addendum that describes the specific aspects of the certified version can be obtained via this
website. The guidance addendum extends the general guidance of SQL Server 2008 that
ships along with the product in form of Books Online.
This website shall be visited before using the TOE.
1.3.3 Architecture of the TOE
The TOE which is described in this ST comprises one instance of the SQL Server 2008
database engine but has the possibility to serve several clients simultaneously.
1.3.4 Logical Scope and Boundary of the TOE
SQL Server 2008 is able to run multiple instances of the database engine on one machine.
After installation one default instance exists. However the administrator is able to add more
instances of SQL Server 2008 to the same machine.
The TOE comprises one instance of SQL Server 2008. Within this ST it is referenced either
as "the TOE" or as "instance". The machine the instances are running on is referenced as
"server" or "DBMS-server".


1
Please note that IA64 CPUs are not supported for the certified version of the database engine of SQL Server
2008
Security Target Microsoft SQL Server 2008 Database Engine Common Criteria
Evaluation
Page 12/56


If more than one instance of SQL Server 2008 is installed on one machine these just
represent multiple TOEs as there is no other interface between two instances of the TOE
than the standard client interface
In this way two or more instances of the TOE may only communicate through the standard
client interface.
The TOE provides the following set of security functionality
 The Access Control function of the TOE controls the access of users to user and
TSF data stored in the TOE. It further controls that only authorized administrators are
able to manage the TOE.
 The Security Audit function of the TOE produces log files about all security relevant
events.
 The Management function allows authorized administrators to manage the behavior
of the security functions of the TOE.
 The Identification and Authentication
2
function of the TOE is able to identify and
authenticate users.

The following functions are part of the environment:
 The Audit Review and Audit Storage functionality has to be provided by the
environment and provide the authorized administrators with the capability to review
the security relevant events of the TOE.
 The Access Control Mechanisms has to be provided by the environment for files
stored in the environment
 The environment provides Identification and Authentication
2
for users for the cases
where this is required by the TOE (The environment AND the TOE provide
mechanisms for user authentication. See chapter 7.3 for more details).
 The environment has to provide Time stamps to be used by the TOE.

 The environment provides a cryptographic mechanisms for hashing of passwords
All these functions are provided by the underlying Operating System (Windows 2008 Server
Enterprise Edition) except Audit Review, for which an additional tool has to be used (e.g. the
SQL Server Profiler, which is part of the SQL Server Platform).
Access to the complete functionality of the TOE is possible via a set of SQL-commands (see
[TSQL]).
This set of commands is available via:
 Shared Memory
 Named Pipes


2
Note that the TOE as well as the environment provides a mechanism for identification and authentication.
Chapter 7 will describe this in more detail.

Security Target Microsoft SQL Server 2008 Database Engine Common Criteria
Evaluation
Page 13/56

 TCP/IP

Security Target Microsoft SQL Server 2008 Database Engine Common Criteria
Evaluation
Page 14/56

1.4 Conventions
For this Security Target the following conventions are used:
The CC allows several operations to be performed on functional requirements; refinement,
selection, assignment, and iteration are defined in chapter C.4 of Part 1 of the CC. Each of
these operations is used in this ST.

The refinement operation is used to add detail to a requirement, and thus further restricts a
requirement. Refinement of security requirements is denoted by bold text.
The selection operation is used to select one or more options provided by the CC in stating
a requirement. Selections that have been made are denoted by italicized text.
The assignment operation is used to assign a specific value to an unspecified parameter,
such as the length of a password. Assignments that have been made are denoted by
showing the value in square brackets, [Assignment_value].
The iteration operation is used when a component is repeated with varying operations.
Iteration is denoted by showing the iteration number in parenthesis following the component
identifier, (iteration_number).
The CC paradigm also allows protection profile and security target authors to create their
own requirements. Such requirements are termed ‗explicit requirements‘ and are permitted if
the CC does not offer suitable requirements to meet the authors‘ needs. Explicit
requirements must be identified and are required to use the CC class/family/component
model in articulating the requirements. In this ST, explicit requirements will be indicated with
the ―.EXP‖ following the component name.

Security Target Microsoft SQL Server 2008 Database Engine Common Criteria
Evaluation
Page 15/56

2 Conformance Claims
2.1 CC Conformance Claim
This Security Target claims to be

 CC Part 2 (Version 3.1, Revision 2, September 2007) extended due to the use of
the component FAU_STG.5.EXP
 CC Part 3 (Version 3.1, Revision 2, September 2007) conformant as only
assurance components as defined in part III of [CC] have been used.


Further this Security Target claims to be conformant to the Security Assurance Requirements
package EAL 1 augmented by ASE_OBJ.2, ASE_REQ.2 and ASE_SPD.1.
2.2 PP Conformance Claim
This Security Target does not claim compliance to any Protection Profile.
Security Target Microsoft SQL Server 2008 Database Engine Common Criteria
Evaluation
Page 16/56

3 Security Problem Definition
This chapter describes
 the assets that have to be protected by the TOE,
 assumptions about the environment of the TOE,
 threats against those assets and
 organizational security policies that TOE shall comply with.
3.1 Assets
The TOE maintains two types of data which represent the assets: User Data and TSF Data.

The primary assets are the User Data which comprises the following:
 The user data stored in or as database objects;
 User-developed queries or procedures that the DBMS maintains for users.

The secondary assets comprise the TSF data that the TOE maintains and uses for its own
operation. This kind of data is also called metadata. It specifically includes:
 The definitions of user databases and database objects
 Configuration parameters,
 User security attributes,
 Security Audit instructions and records
Security Target Microsoft SQL Server 2008 Database Engine Common Criteria
Evaluation
Page 17/56


3.2 Assumptions
The following table lists all the assumptions about the environment of the TOE.
Table 2 - Assumptions
Assumption
Description
A.NO_EVIL
Administrators are non-hostile, appropriately trained, and
follow all administrator guidance.
A.NO_GENERAL_PURPOSE
There are no general-purpose computing capabilities
(e.g., compilers or user applications) available on DBMS
servers, other than those services necessary for the
operation, administration and support of the DBMS.
A.OS
It is assumed that the TOE is installed on Windows Server
2008 Enterprise Edition and that this Operating System
provides functionality for
 Identification and authentication of users,
 Access Control for Files,
 Time stamps,
 Audit Storage,
 Hashing of passwords
A.PHYSICAL
It is assumed that appropriate physical security is
provided for the server, on which the TOE is installed,
considering the value of the stored, processed, and
transmitted information.
A.COMM
It is assumed that any communication path from and to

the TOE is appropriately secured to avoid eavesdropping
and manipulation.

Security Target Microsoft SQL Server 2008 Database Engine Common Criteria
Evaluation
Page 18/56

3.3 Threats
The following table lists the threats against the assets, which are protected by the TOE and
its environment.

Table 3 - Threats to the TOE
Threat
Description
T. ACCIDENTAL_ADMIN_ERROR

An administrator may incorrectly install or
configure the TOE resulting in ineffective TSF
data and therewith ineffective security
mechanisms.
T.MASQUERADE
A user or process may claim to be another
entity in order to gain unauthorized access to
data or TOE resources.
T.TSF_COMPROMISE
A user or process may try to access (i.e. view,
modify or delete) configuration data of the
TOE. This could allow the user or process to
gain knowledge about the configuration of the
TOE or could bring the TOE into an insecure

configuration in which the security mechanisms
for the protection of the assets are not longer
working correctly.
T.UNAUTHORIZED_ACCESS
A user may try to gain unauthorized access to
user data for which they are not authorized
according to the TOE security policy.
Within the scope of this threat the user just
tries to access assets, he doesn‘t have
permission on, without trying to masquerade
another user or circumventing the security
mechanism in any other way.

Security Target Microsoft SQL Server 2008 Database Engine Common Criteria
Evaluation
Page 19/56

3.4 Organizational Security Policies
An organizational security policy is a set of rules, practices, and procedures imposed by an
organization to address its security needs. This chapter identifies the organizational security
policies applicable to the TOE.
Table 4 – Organizational Security Policies
Policy
Description
P.ACCOUNTABILITY
The authorized users of the TOE shall be held accountable for
their actions within the TOE.
P.ROLES
The TOE shall provide an authorized administrators role for
secure administration of the TOE. This role shall be separate

and distinct from other authorized users.
Security Target Microsoft SQL Server 2008 Database Engine Common Criteria
Evaluation
Page 20/56

4 Security Objectives
The purpose of the security objectives is to detail the planned response to a security problem
or threat. This chapter describes the security objectives for the TOE and its operational
environment.
4.1 Security Objectives for the TOE
This chapter identifies and describes the security objectives of the TOE.
Table 5 - Security Objectives for the TOE
Objective
Description
O.ADMIN_ROLE

The TOE will provide authorized
administrators roles to isolate administrative
actions.
The TOE will provide administrators with the
necessary information for secure
management.
O.AUDIT_GENERATION
The TOE will provide the capability to detect
and create records of security relevant
events associated with users.
O.MANAGE
The TOE will provide all the functions and
facilities necessary to support the authorized
administrators in their management of the

security of the TOE, and restrict these
functions and facilities from unauthorized
use.
O.MEDIATE
The TOE must protect user data in
accordance with its security policy.
O.I&A
The TOE will provide a mechanism for
identification and authentication of users.

Security Target Microsoft SQL Server 2008 Database Engine Common Criteria
Evaluation
Page 21/56

4.2 Security Objectives for the operational Environment
The security objectives for the operational environment of the TOE are defined in the
following table.
Table 6 - Security Objectives for the TOE Environment
Objective
Description
OE.NO_EVIL

Sites using the TOE shall ensure that authorized
administrators are non-hostile, appropriately trained and
follow all administrator guidance.
OE.NO_GENERAL_
PURPOSE
There will be no general-purpose computing capabilities
(e.g., compilers or user applications) available on DBMS
servers, other than those services necessary for the

operation, administration and support of the DBMS.
OE.OS
The TOE shall be installed on Windows Server 2008
Enterprise Edition. This Operating System provides
functionality for
 Identification and authentication of users,
 Access Control for Files,
 Time stamps,
 Audit Storage,
 Hashing of passwords

OE.PHYSICAL
Physical security shall be provided for the server, on which
the TOE will be installed, considering the value of the
stored, processed, and transmitted information.
OE.COMM
Any communication path from and to the TOE will be
appropriately secured to avoid eavesdropping and
manipulation.
OE.AUDIT_REVIEW
The environment shall provide tools for the administrators to
review the audit logs that are produced by the TOE.

Security Target Microsoft SQL Server 2008 Database Engine Common Criteria
Evaluation
Page 22/56

4.3 Security Objectives Rationale
4.3.1 Overview
The following table summarizes the rationale for the security objectives.

Table 7 – Summary of Security Objectives Rationale
Threats, Assumptions, OSP /
Security Objectives
O.ADMIN_ROLE
O.AUDIT_GENERATION
O.MANAGE
O.MEDIATE
O.I&A
OE.NO_EVIL
OE.NO_GENERAL_ PURPOSE
OE.OS
OE.PHYSICAL
OE.COMM
OE:AUDIT_REVIEW
T.ACCIDENTAL_ADMIN_ERROR
X










T.MASQUERADE





X






T.TSF_COMPROMISE


X








T.UNAUTHORIZED_ACCESS



X
X



















P.ACCOUNTABILITY

X


X





X
P.ROLES
X























A.NO_EVIL





X






A.NO_GENERAL_PURPOSE






X




A.OS







X



A.PHYSICAL









X


A.COMM









X


Details are given in the following subchapters.
Security Target Microsoft SQL Server 2008 Database Engine Common Criteria
Evaluation
Page 23/56

4.3.2 Rationale for TOE Security Objectives
Table 8 – Rationale for TOE Security Objectives
Threat/Policy


Objectives Addressing the
Threat/Policy
Rationale

T.ACCIDENTAL_ADMIN_ERR
OR
An administrator may
incorrectly install or configure
the TOE resulting in ineffective
security mechanisms.
O.ADMIN_ROLE
The TOE will provide administrators
with the necessary information for
secure management.
O.ADMIN_ROLE
counters this threat by ensuring the
TOE administrators have guidance
that instructs them how to administer
the TOE in a secure manner. Having
this guidance and considering the
assumption A.NO_EVIL mitigates
the threat that an administrator might
cause the TOE to be configured
insecurely to an acceptable level.
T.MASQUERADE
A user or process may claim to
be another entity in order to
gain unauthorized access to
data or TOE resources.
O.I&A

The TOE will provide a mechanism
for identification and authentication of
users.
O.I&A
counters this threat by providing the
means to identify and authenticate
the user where the I&A mechanisms
of the environment is not used. The
correct identity of the user is the basis
for any decision of the TOE about an
attempt of a user to access data. In
this way it is not possible for a user or
process to masquerade as another
entity and the threat is removed.
T.TSF_COMPROMISE
A user or process may try to
access (i.e. view, modify or
delete) configuration data of
the TOE. This could allow the
user or process to gain
knowledge about the
configuration of the TOE or
could bring the TOE into an
insecure configuration in which
the security mechanisms for
the protection of the assets are
not longer working correctly.
O.MANAGE
The TOE will provide all the functions
and facilities necessary to support

the authorized administrators in their
management of the security of the
TOE and restrict these functions and
facilities from unauthorized use.

O.MANAGE
counters this threat as it defines that
only authorized administrators shall
be able to use the management
functionality, provided by the TOE. In
this way the threat is removed.
T.UNAUTHORIZED_ACCESS
A user may try to gain
unauthorized access to user
data for which they are not
authorized according to the
O.MEDIATE
The TOE must protect user data in
accordance with its security policy.
O.MEDIATE
ensures that all accesses to user
data are subject to mediation. The
TOE requires successful
authentication to the TOE prior to
gaining access to any controlled-
Security Target Microsoft SQL Server 2008 Database Engine Common Criteria
Evaluation
Page 24/56

TOE security policy.

Within the scope of this threat
the user just tries to access
assets, he doesn‘t have
permission on, without trying to
masquerade another user or
circumventing the security
mechanism in any other way.
access content Lastly, the TSF will
ensure that all configured
enforcement functions
(authentication, access control rules,
etc.) must be invoked prior to
allowing a user to gain access to
TOE or TOE mediated services.
The TOE restricts the ability to
modify the security attributes
associated with access control rules,
access to authenticated and
unauthenticated services, etc to the
administrator. Together with O.I&A
this mechanism ensures that no user
can gain unauthorized access to
data and in this way removes the
threat.
O.I&A
The TOE will provide a mechanism
for identification and authentication
of users.
O.I&A
contributes to countering this threat

by providing the means to identify
and authenticate the user where the
I&A mechanism of the environment
is not used. The correct identity of
the user is the basis for any decision
of the TOE about an attempt of a
user to access data.
P.ACCOUNTABILITY
The authorized users of the
TOE shall be held accountable
for their actions within the TOE.
O.AUDIT_GENERATION
The TOE will provide the capability to
detect and create records of security
relevant events associated with
users.
O.AUDIT_GENERATION
addresses this policy by providing
the authorized administrator with the
capability of configuring the audit
mechanism to record the actions of a
specific user.
O.I&A
The TOE will provide a mechanism
for identification and authentication
of users.

O.I&A
supports this policy by providing the
means to identify and authenticate

the user where the I&A mechanisms
of the environment cannot be used.
The identity of the user is stored in
the audit logs.
Security Target Microsoft SQL Server 2008 Database Engine Common Criteria
Evaluation
Page 25/56


OE.AUDIT_REVIEW
OE.AUDIT_REVIEW supports the
policy for accountability as the
environment of the TOE provides a
means for audit review. Without this
objective for the environment it
would not be possible to review the
audit logs that are produced by the
TOE.
P.ROLES
The TOE shall provide an
authorized administrator role
for secure administration of the
TOE. This role shall be
separate and distinct from
other authorized users.
O.ADMIN_ROLE
The TOE will provide authorized
administrator roles to isolate
administrative actions.
The TOE has the objective of

providing authorized administrator
roles for secure administration. In
this way the policy P.ROLES is
fulfilled. (by O.ADMIN_ROLE).